A. Technical Field
The present invention generally relates to secure systems, and more particularly, to systems, devices, and methods of detecting tampering in electronic systems to prevent unauthorized access to sensitive data.
B. Background of the Invention
Secured electronic systems such as banking terminals protect valuable assets and encrypted sensitive data within a trusted environment to prevent unwanted access or inspection by potential attackers. Typical countermeasures against intruders who tamper with physical devices to gain access to secured sensitive data involve the implementation of a security perimeter around sensitive areas of the device. High-security physical protection includes the application of electric meshes and switches that aid in the detection of tampering attempts and raise a flag to signal the likelihood of an intrusion. Once an intrusion is detected, the secured system may, for example, erase its decryption keys and other sensitive information stored in usually stored in memory devices within a computer system to prevent capture of secret information by adversaries.
Efficient security measures against physical tampering require 24/7 protection that constantly monitors the physical device that contains the sensitive information, i.e., the device must always remain in a power-on condition to prevent the possibility of unauthorized access during times when power is cut off. Alternatively, non-critical parts of the device may be turned off, while an energy source (e.g., a battery) provides sufficient energy to the device to maintain the security monitoring system in operating condition to continue to protect the most critical components and alert external devices, for example by sending an alarm, in order to ensure a desired level of protection. Thus, even if the secure device itself is completely powered down, the monitoring system remains permanently active and in control of the physical integrity of the device.
Security monitoring systems containing protective electric meshes and other active parts are electrically operated and designed to detect any interruptions or modifications in the characteristic of a reference signal, such as a voltage or resistance value, as an indicator of a potential act of physical tampering. Battery power is generally sufficient to additionally monitor environmental conditions, such as temperature and vibrations resulting from shock events, to further increase system security. Especially, hardware security modules (HSMs) that require very high security for key storage and data rely on battery power to perform 24/7 monitoring, such that even in a power outage situation a battery-backed security monitoring system is in place that controls the security of the physical perimeter of the device and ensures that sensitive data is not accessed without authorization, recorded, or otherwise tampered with. Payment terminals and other devices containing secure microcontrollers use battery-backed security monitoring systems that have an average battery lifetime of about 7 years. This is appropriate in most instances as HSMs are generally obsolete and replaced within that time period, such that the battery lifetime exceeds the actual operating time of the device in the field.
However, devices with rather long lifetimes, such as smart meters are expected to operate in the field for 30 years or more and practically without requiring any maintenance or, at least, with as little maintenance as possible. Given that even the most advanced batteries have a less than 10-year lifetime, this shortcoming renders protection of these devices ineffective once their batteries require replacement and power must be interrupted for a certain period of time to perform maintenance work. Similarly, for industrial devices that are located in remote places, such as oil or gas pipelines that are designed to operate as no-maintenance devices, replacing batteries in the field is not a viable solution due to the extremely high maintenance and support cost and, more importantly, security issues associated with powering down and opening a secure device that is intended to remain unopened.
Currently, no practical solutions exist to ensure around-the-clock protection for high-security and long-life devices. Once the device is shut down, it is exposed and there is no security at all. Attackers may access the device, perform circuit modifications without being detected, and after the device is powered back up there is no information to indicate that the device has been invaded and manipulated in the meantime. The most sophisticated attackers may not even attempt to retrieve secrets during the power off stage, but instead, take the opportunity to install some electronic malicious code (e.g., a Trojan Horse) into the device, such that when the power is turned back on, the modifications that the attacker has performed can be used to intercept data and expose valuable assets (e.g., record and extract passwords) without leaving a trace that can be easily detected from a remote location.
Therefore, what is needed are tools that provide uninterrupted high-security supervision at the device perimeter, such that even following a power down event, it is possible to determine whether the device has been tampered with, so that appropriate action can be taken.